Encryption/Decryption
These two endpoint implements the encryption and decryption of short data message using the AES scheme.
Allowed users
Allowed
Required access scope
keymgmt:use:<KID>
where <KID> is a Key ID as 32 chars hexadecimal string
Encrypt
Encrypt a message
POST https://my.ence.do/api/crypto/cipher/encrypt
Encrypt a short data message and return ciphertext.
Headers
| Name | Type | Description |
|---|---|---|
Authorization* | String | Bearer JWT_TOKEN |
Content-Type* | String | application/json |
Request Body
| Name | Type | Description |
|---|---|---|
alg* | String | Algorithm to use (e.g. AES256-GCM) |
ext_kid | String | External Key ID, 32 chars hex string |
kid* | String | Key ID, 32 chars hex string |
msg | String | Plaintex to encrypt |
pubkey | String | Base64 encoded external public key |
ctx | String | Additional context data (HKDF argument) |
aad | String | Optional AAD data for AES-GSM only |
The key type pointed by ext_kid or represented by pubkey MUST be the same as the kid key type. Otherwise, indirect ECDH will be failed.
Possible alg values
alg values| Value | Description |
|---|---|
AES128-ECB | Regard to NIST SP 800-38A |
AES128-CBC | Regard to NIST SP 800-38A |
AES128-GCM | Regard to NIST SP 800-38D |
AES192-ECB | Regard to NIST SP 800-38A |
AES192-CBC | Regard to NIST SP 800-38A |
AES192-GCM | Regard to NIST SP 800-38D |
AES256-ECB | Regard to NIST SP 800-38A |
AES256-CBC | Regard to NIST SP 800-38A |
AES256-GCM | Regard to NIST SP 800-38D |
Response data for successful operation
| Name | Type | Description |
|---|---|---|
| String | Base64 encoded ciphertext |
| String | Base64 IV generated by the process |
| String | Optional TAG in base64 (for AES-GCM only) |
Log entries
| Event | Result | Source |
|---|---|---|
LOG_TYPE_FAILED_SCOPE_CHECK | LOG_RESULT_FAILED | 403 |
LOG_TYPE_CRYPTO_ENCRYPT | LOG_RESULT_ERROR | 400 |
LOG_TYPE_CRYPTO_ENCRYPT | LOG_RESULT_FAILED | 406 |
LOG_TYPE_CRYPTO_ENCRYPT | LOG_RESULT_OK | 200 |
Decrypt
Decrypt a message
POST https://my.ence.do/api/crypto/cipher/decrypt
Decrypt a short data message and return plaintext.
Headers
| Name | Type | Description |
|---|---|---|
Authorization* | String | Bearer JWT_TOKEN |
Content-Type* | String | application/json |
Request Body
| Name | Type | Description |
|---|---|---|
alg | String | Algorithm to use (e.g. AES256-GCM) |
ext_kid | String | External Key ID, 32 chars hex string |
kid* | String | Key ID, 32 chars hex string |
msg | String | Ciphertext to decrypt |
pubkey | String | Base64 encoded external public key |
ctx | String | Additional context data (HKDF argument) |
iv | String | Ciphertext IV |
tag | String | TAG value if AES-GCM used |
aad | String | Optional AAD data for AES-GSM only |
The key type pointed by ext_kid or represented by pubkey MUST be the same as the kid key type. Otherwise, indirect ECDH will be failed.
Possible alg values
alg valuesCheck the list here.
Response data for successful operation
| Name | Type | Description |
|---|---|---|
| String | Base64 decrypted plaintext |
Log entries
| Event | Result | Source |
|---|---|---|
LOG_TYPE_FAILED_SCOPE_CHECK | LOG_RESULT_FAILED | 403 |
LOG_TYPE_CRYPTO_DECRYPT | LOG_RESULT_ERROR | 400 |
LOG_TYPE_CRYPTO_DECRYPT | LOG_RESULT_FAILED | 406 |
LOG_TYPE_CRYPTO_DECRYPT | LOG_RESULT_OK | 200 |
Last updated